diff --git a/examples/scripts/cloud-config.txt b/examples/scripts/cloud-config-centos-atomic.txt similarity index 100% rename from examples/scripts/cloud-config.txt rename to examples/scripts/cloud-config-centos-atomic.txt diff --git a/examples/scripts/cloud-config-ubuntu-snappy.txt b/examples/scripts/cloud-config-ubuntu-snappy.txt new file mode 100644 index 0000000..4a0e999 --- /dev/null +++ b/examples/scripts/cloud-config-ubuntu-snappy.txt @@ -0,0 +1,14 @@ +#cloud-config +snappy: + ssh_enabled: True + packages: + – docker + +# Add users to the system. Users are added after groups are added. +users: + - name: davidy + sudo: ALL=(ALL) NOPASSWD:ALL + ssh-authorized-keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFkmE2zK7uE9q75nzQxa9tQPHiCgaEUkIDj9xdoPL911 davidy@funkypenguin.co.nz +runcmd: + - /usr/bin/snap refresh diff --git a/manuscript/book.txt b/manuscript/book.txt index 35e442b..c06708e 100644 --- a/manuscript/book.txt +++ b/manuscript/book.txt @@ -29,3 +29,5 @@ sections/reference.md reference/oauth_proxy.md reference/data_layout.md reference/networks.md +reference/git-docker.md +reference/openvpn.md diff --git a/manuscript/reference/openvpn.md b/manuscript/reference/openvpn.md new file mode 100644 index 0000000..ad9fdd1 --- /dev/null +++ b/manuscript/reference/openvpn.md @@ -0,0 +1,58 @@ +# OpenVPN + +Sometimes you need an OpenVPN tunnel between your docker hosts and some other environment. I needed this to provide connectivity between swarm-deployed services like Home Assistant, and my IOT devices within my home LAN. + +OpenVPN is one application which doesn't really work in a swarm-type deployment, since each host will typically require a unique certificate/key to connect to the VPN anyway. + +In my case, I needed each docker node to connect via [OpenVPN](http://www.openvpn.org) back to a [pfsense](http://www.pfsense.org) instance, but there were a few gotchas related to OpenVPN at CentOS Atomic which I needed to address first. + +## SELinux for OpenVPN + +Yes, SELinux. Install a custom policy permitting a docker container to create tun interfaces, like this: + +```` +cat << EOF > docker-openvpn.te +module docker-openvpn 1.0; + +require { + type svirt_lxc_net_t; + class tun_socket create; +} + +#============= svirt_lxc_net_t ============== +allow svirt_lxc_net_t self:tun_socket create; + +EOF + +checkmodule -M -m -o docker-openvpn.mod docker-openvpn.te +semodule_package -o docker-openvpn.pp -m docker-openvpn.mod +semodule -i docker-openvpn.pp +```` + +## Insert the tun module + +Even with the SELinux policy above, I still need to insert the "tun" module into the running kernel at the host-level, before a docker container can use it to create a tun interface. + +Run the following to auto-insert the tun module on boot: + +```` +cat << EOF >> /etc/rc.d/rc.local +# Insert the "tun" module so that the vpn-client container can access /dev/net/tun +/sbin/modprobe tun +EOF +chmod 755 /etc/rc.d/rc.local +```` + +## Connect the VPN + +Finally, for each node, I exported client credentials, and SCP'd them over to the docker node, into /root/my-vpn-configs-here/. I also had to use the NET_ADMIN cap-add parameter, as illustrated below: + +```` +docker run -d --name vpn-client \ + --restart=always --cap-add=NET_ADMIN --net=host \ + --device /dev/net/tun \ + -v /root/my-vpn-configs-here:/vpn:z \ + ekristen/openvpn-client --config /vpn/my-host-config.ovpn +```` + +Now every time my node boots, it establishes a VPN tunnel back to my pfsense host and (_by using custom configuration directives in OpenVPN_) is assigned a static VPN IP. diff --git a/mkdocs.yml b/mkdocs.yml index ea6854f..841c9f7 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -52,6 +52,7 @@ pages: - Data Layout: reference/data_layout.md - Networks: reference/networks.md - git-docker : reference/git-docker.md + - OpenVPN : reference/openvpn.md extra: disqus: 'geeks-cookbook'